Top Nav

Google Removes ‘DroidDream’ Malware From Android Devices

Last updated: September 9, 2015 | 5,839 views

Android must be getting popular! It’s always a test of a new platform or OS, when does it start getting serious malware targeting it?

It seems like the time for Android is now, the news lately has been buzzing about the DroidDream malware that has been flooding the Android Market. Google pulled a number of malicious apps (rumoured to be more than 50) on March the 1st but kept hush – they later blogged about it on March 5th outlining some details about the malware and the vulnerability involved.

Google has acknowledged that it removed “a number” of malicious malware applications from the Android Market on March 1, and it has now reached out over the airwaves to remove the apps from end users devices as well.

Last week, reports indicated that more than 50 Android apps had been loaded with info-pilfering software known as DroidDream. Google immediately responded by pulling the apps from the Market, but the company remained silent on the matter until tossing up a blog post on Saturday evening.

According to Google, the malware exploited known vulnerabilities that had been patched in Android versions 2.2.2 and higher. Google “believes” the attacker or attackers was only able to gather device-specific information, including unique used to identify mobile devices and the version of Android running on the device. But the company added that attackers could have accessed other data.

In addition to removing the apps from the Android Market, Google suspended the accounts of the developers involved and contacted law enforcement about the attack, and as it did on one previous occasion, the company used the “kill switch” that lets it remotely remove mobile apps that have already been installed by end users.

So Google does have a kill switch for software already installed on end user devices, some may complain – but honestly it’s only responsible to have such a thing (Apple has one for iOS of course).

And it’s all well and good saying it only effects phones with Android versions lower than 2.2.2…but sadly that is still the majority of phones. Only the phones directly pushed out by Google get the most recent version of Android, all the other (HTC, Samsung, Motorola etc.) models out there still have older (vulnerable) versions.

Google maintains a persistent connection to Android phones that let the company not only remotely remove applications from devices but remotely install them as well. The remote install tool is used when Android owners purchase apps via the new web incarnation of the Android Market. The Android Market Web Store lets you browse and purchase applications via a browser, as opposed to Android client loaded on handsets.

Apple maintains its own “kill switch” for the iPhone. In 2008, an iPhone hacker told the world that Apple had added an app kill switch to the iPhone, and Steve Jobs later confirmed its existence. “Hopefully, we never have to pull that lever,” Jobs said, “but we would be irresponsible not to have a lever like that to pull.”

On Saturday, Google also said that it is pushing a security update to all Android devices affected by the malware in question. If your device was affected, the company said, you will receive an email from android-market-support@google.com, and you’ll get a notification on your phone that a package called “Android Market Security Tool March 2011” has been installed. You may also receive a notification that the offending apps have been removed.

The company is taking additional measures to stop such attacks in the future, but it did not provide specifics. “We are adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market and are working with our partners to provide the fix for the underlying security issues,” the blog post read.

Google will also be pushing out a security update to all Andoird hansets that were affected, if you’re an Android user you’ll see package called “Android Market Security Tool March 2011” installed which combats the malware.

Apparently it was quite easy to foil the malware if you were handy on the command line, all you needed to do was a create a file at /system/bin/profile/ using the terminal and the touch command then chmod 644 and you’re done.